Rapid7 Blog

New justsu: trackVal

POST STATS:

SHARE

I've just added a new jutsu method to byakugan to help you find the address of a particular primitive (DWORD, WORD, or BYTE) in memory. Obviously, this isn't a terribly difficult task - you use the search function in windbg. What trackVal will do for you is allow you to see which of the thousand some-odd addresses search returns is actually storing the primitive you care about. For example, I'll demonstrate how to use trackVal to determine where the result value lives in calc.exe

First, we load calc.exe and do a simple operation which will give us a result. I'll just do 9999 1, which will of course give us a value of 10000 or 0x2710 in hex. With the value displayed in calc, we'll attach with windbg, load byakugan, and issue the first trackVal command:

0:002> !jutsu trackVal result 4 0x2710[J] Creating new list of candidates for result.[J] Discovered 115 possible candidate addresses for result

Lets disect the command: - result is the unique name of the value we're tracking - it's arbitrary, but we'll need to remember it for later- 4 is the size of the primitive we're concerned with; it can be 4, 2, or 1- 0x2710 is the hex value that we'd like to find

Once the command is issued, we're informed that the name is unrecognized so an initial sweep of process memory is occuring to find all the possible candidate addresses for our value. When this is finished, we're informed that there are 115 possibilities. Far too many.

Our next task is to continue the process and make a minor change to the value in question. We'll add 3 to it, for a value of 0x2713, then break again and reissue our command:

0:002> !jutsu trackVal result 4 0x2713[J] Narrowing down candidate list for result from 115 candidates.[J] Value result is stored at address 0x0014cc64

The command is the same as before, apart from the value. It is important that we use the same name, because this time around we will only be searching the previously discovered candidate addresses. Out of the 115 addresses, only one has our new value in it, and we are informed of this. Score. If more than one had the value, we could repeat this exercise until it's fully narrowed down.

To list what values you're tracking, their sizes, and what how many candidates they have, simply type:

POST STATS

SHARING IS CARING

AUTHOR

Want more? Don’t miss these posts

Efrain Torres just committed an improvement to the Metasploit source tree that allows the framework to be used as a SSL certificate scanner. This provides a simple way to identify SSL certificates in use that were signed with the MD5 algorithm and need to re-issued.…

It's true! They're in subversion now in the byakugan/bin/Win7 directory - detours and all. If you're interested in building your own on windows 7, you'll just need to nab the WDK and SDK, then remove the TARGETPATH from the sources files…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.